stackoom
  简体   繁体   中英

NGINX reverse proxy HTTPS routes non-functional despite certbot SSL

 原文  2020-05-13 23:44:43       ssl/ amazon-ec2/ ubuntu-18.04/ nginx-reverse-proxy/ certbot

Question

I have NGINX set up as a reverse proxy to serve a node server from a single Ubuntu 18.04 ec2 instance (NGINX and the node server are both on the same instance). Certbot successfully installed and configured and HTTP routes are coming through with no issue but when I try to hit an HTTPS endpoint I get ERR_CONNECTION_CLOSED on my client (which is hosted on GH-Pages but I don't think that's relevant?).

My ec2 instance is set up to accept all traffic on ports 80 and 443, my server is listening on port 3333.

Currently ufw is set to inactive but I have tried enabling it and allowing 'NGINX FULL'. The requests still failed in this scenario but I received a connection timeout error instead of connection closed.

NGINX error logs example output: 

2020/05/13 23:17:23 [error] 13581#13581: *15 connect() failed (111: Connection refused) while connecting to upstream, client: 159.xxx.xxx.35, server: api.example.net, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:3333/", host: "54.xxx.xx.xxx:80"

My NGINX server blocks are as follows:

server {
  listen 443 ssl;
  server_name api.example.net www.api.example.net;

  ssl_certificate /etc/letsencrypt/live/api.example.net/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/api.example.net/privkey.pem;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

  location / {
     proxy_pass http://localhost:3333/;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
     proxy_set_header Host $http_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forward-Proto http;
     proxy_set_header X-Nginx-Proxy true;
     proxy_redirect off;
  }
}

server {
 listen 80;
 server_name api.example.net www.api.example.net;
 # return 301 https://$host$request_uri;
   location / {
     proxy_pass http://localhost:3333/;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
     proxy_set_header Host $http_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forward-Proto http;
     proxy_set_header X-Nginx-Proxy true;
     proxy_redirect off;
  }

}

I've been googling for the last 18 hours and my brain is bleeding, any and all suggestions will be greatly appreciated.

1 answers

solution1
 0  2020-05-14 02:07:15

I was able to connect to your server on https (you forgot to redact the domain in the error log). The server itself seems to work fine (I got the error Cannot GET / ). I suspect your client on gh-pages get the ERR_CONNECTION_CLOSED error because CORS is not allowing it to talk to your server.

This question may be helpful: POST API call returns CORS error without https and ERR_CONNECTION_CLOSED without

If you want to allow CORS with nginx, then this may work (snippet from enable-cors.org ). After you get it working, you should probably improve security by not allowing all origins.

#
# Wide-open CORS config for nginx
#
location / {
     if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        #
        # Custom headers and headers various browsers *should* be OK with but aren't
        #
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
        #
        # Tell client that this pre-flight info is valid for 20 days
        #
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain; charset=utf-8';
        add_header 'Content-Length' 0;
        return 204;
     }
     if ($request_method = 'POST') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
     }
     if ($request_method = 'GET') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
     }
}

I hope this helps!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Certbot/LetsEncrypt HTTPS for NGINX reverse proxy not working Nginx(reverse proxy) cant forward SSL certificate of https backend to clients Nginx reverse proxy https to https Nginx reverse proxy https content Nginx Reverse proxy force https Wordpress with ssl and reverse proxy (nginx) ssl with certbot and nginx on ubuntu Routing http to https using nginx as a reverse proxy Https (SSL) issue with IIS and Wordpress reverse proxy SSL Handshake problems with nginx reverse proxy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM